Messaging tools like Facebook's WhatsApp and Internet services that automatically encrypt the content of texts, phone calls and other data while they're being sent are increasingly becoming a problem for national security and criminal investigations, according to the Federal Bureau of Investigation.
Capturing that data while it's in transit is essential, the agency says. Not so fast, say privacy advocates. Not even possible, say the companies.
"We're kind of all waiting for the next big test case," said Andrew Crocker, a staff attorney with the Electronic Frontier Foundation in San Francisco, which is suing the Justice Department over whether the government has ever used secret court orders to force technology companies to decrypt the private communications of their customers.
And while legal strategies are plotted in the US, the threat of encrypted applications isn't theoretical. Supporters of Islamic State and al-Qaida in the Arabian Peninsula have already found alternatives to US-based apps, potentially limiting intelligence gathering on terrorist plots after a year in which scores were killed in attacks in Paris, Brussels and San Bernardino, California.
Although the FBI found workarounds for two high-profile cases involving data on locked iPhones, law enforcement agencies confront unique legal challenges to compel companies to provide access to encrypted communications, including laws written more than two decades ago when the Internet was just emerging. And as players in the debate stake out their positions, the results of new cases are likely to define the rules for digital rights for several decades.
"This is the new frontier and it is a much more expansive frontier in terms of its effect on law enforcement investigations," said Edward McAndrew, a former federal prosecutor who's now a partner with the law firm Ballard Spahr.
While the FBI and other law enforcement agencies can seek court orders compelling companies to comply with wiretap orders, at least two issues make it harder for agencies to get the data they're seeking in cases that are likely to come:
- Investigators say they have been left behind by rapid advances in technology. In order to intercept the content of communications being sent in real-time, investigators have to use laws that limit their reach, such as the 1994 Communications Assistance for Law Enforcement Act.
- The ability to protect information with encryption, which scrambles data using a secret code that can be unlocked only with a special key known solely to the user, means companies may not even be able to provide law enforcement the data sent on their networks or through their applications.
WhatsApp on April 5 finished giving its users encryption by default as well as complete control over the keys for all its messaging services, including photos, phone calls and group chats, said spokesman Matt Steinfeld. Apple Inc. said it began offering full end-to-end encryption for its iMessage platform and FaceTime video service about five years ago.
WhatsApp's encryption arose as an issue in Brazil this month, when a judge shut down the service for a day for not making data available to law enforcement. Facebook Chief Executive Officer Mark Zuckerberg called the move against WhatsApp, which has more than 1 billion subscribers worldwide, frightening.
"The idea that everyone in Brazil can be denied the freedom to communicate the way they want is very scary in a democracy," Zuckerberg said in a May 3 blog post.
In the United States the FBI showed its willingness to bring a legal case over encryption when it served Apple with a court order in February compelling the company to help access the data stored on an iPhone used by Syed Rizwan Farook, who with his wife carried out a deadly December attack in San Bernardino, California. The bureau ultimately backed down in March when it bought a hacking tool to get into the phone without Apple's help.
The government has a weaker legal argument when it comes to requiring a company to provide access to encrypted "data in motion" as it travels over the Internet than it does in demanding "data at rest" stored on a device, said Marc Zwillinger, a former federal cybercrime prosecutor.
The Communications Assistance for Law Enforcement Act doesn't cover many Internet services and expressly states that a telecommunications provider can't be responsible for decrypting any communication if it doesn't possess the information necessary to do so, said Zwillinger, a managing member of ZwillGen who often represents technology companies, including Apple in the San Bernardino case.
Even if the government succeeded in getting a company to break encryption, users could move to another encrypted messaging service located outside the U.S., said Peter Toren, a former federal computer crimes prosecutor and now a partner with the law firm Weisbrod Matteis & Copley.
"The FBI certainly has no jurisdiction, nor ability, to extract information from providers that are outside the United States," Toren said. "Technology is changing the game."
One such application is Telegram, which lets users build message groups of as many as 200 people and has been favored by Islamic State and al-Qaida in the Arabian Peninsula, according to a report by the Middle East Media Research Institute. While Telegram has blocked public message channels used by Islamic State, it has said it won't limit encrypted private messages, which can self-destruct on a timer.
Sometimes the only way to obtain the content of communications is when it's in transit because companies don't retain it on their servers, according to the FBI.
In a limited number of cases, even encrypted information can be useful to the bureau. The agency might find a way to decrypt it at a later time, or combine it by using other investigative techniques to pursue a case. But the agency says there's no substitute for having the content of communications.
"As you see WhatsApp, Viber and others moving to what they're calling end-to-end encryption for messaging, that all but guarantees the government, at least through its criminal investigative authorities, would not be able to intercept that content," said McAndrew.
If the FBI concludes it needs access to such data, "the court system is not going to be the proper place to resolve it," Zwillinger said.
Toren and McAndrew said the best solution would be for Congress to update laws governing wiretaps and access to data.
Amid the impasse, the problems for law enforcement keep mounting.
From July to December last year, law enforcement agencies requested information for 5,192 Apple accounts, according to the company's latest transparency report. The company said it provided some data in response to 82 percent of government requests. The report doesn't specify how many of the requests were wiretap orders.
US officials fear more companies will "develop and market easy-to-use, seamless, end-to-end encryption," the Office of the Director of National Intelligence said in a May 5 letter to Sen. Ron Wyden, an Oregon Democrat.
"This means that law enforcement and national security personnel are losing access to the one area that we care about the most - the content of communications of violent criminals and terrorists," according to the letter from Deirdre Walsh, the intelligence office's director of legislative affairs.
Groups such as the Electronic Frontier Foundation say they worry, however, that agencies might try to use the secretive Foreign Intelligence Surveillance Court that oversees spying in an effort to compel a company to decrypt data in motion without the public knowing.
"The real worry from the privacy and advocacy community is that it would be happening behind closed doors, under seal and in secret," Crocker said. "That's not going to set a good legal precedent."
© 2016 Bloomberg L.P.